WHAT IS RISK:A probability or threat of a damage, injury, liability, loss, or other negative occurrence that is caused by external or internal

vulnerabilities, and that may be neutralized through preemptive action. In other words, Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk is defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative. Simplistically, a risk can be thought as something that you'd prefer not to have happen. Risks may threaten the project, the software that is being developed or the organization. There are, therefore, three related categories of risk: 1. Project risks are risks that affect the project schedule or resources. An example might be the loss of an experienced designer. 2. Product risks are risks that affect the quality or performance of the software being developed. An example might be the failure of a purchased component to perform as expected. 3. Business risks are risks that affect the organization developing or procuring the software. For example, a competitor introducing a new product is a business risk.

A NASA model showing areas at high risk from impact for the International Space Station.

Possible software risks

WHAT IS RISK MANAGEMENT

The process of analyzing exposure to risk and determining how to best handle such exposure. In other words Risk management is the identification, assessment, and prioritization of risks followed by

coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. In short, Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. Several risk management standards have been developed including the Project Management Institute, the National Institute of Science and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. The risk assessment process includes identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures. Risk mitigation refers to prioritizing, implementing, and maintaining the appropriate riskreducing measures recommended from the risk assessment process. The continual evaluation process consists of keys for implementing a successful risk management program. The DAA or system authorizing official is responsible for determining whether the remaining risk is at an acceptable level or whether additional security controls should be implemented to further reduce or eliminate the residual risk before authorizing (or accrediting) the IT system for operation. Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions. This process is not unique to the IT environment, indeed it pervades decision-making in all areas of our daily lives. The case of home security, for example. Many people decide to have home security systems installed and pay a monthly fee to a service provider to have these systems monitored for the better protection of their property. Presumably, the homeowners have weighed the cost of system installation and monitoring against the value of their household goods and their familys safety, a fundamental mission need.